(Link to this same post on WordPress)
It’s now been a while since I have tapped on the ‘Forgot password’ link. That’s because these days, my iPhone creates complex passwords, and stores them on my phone for instant recall when I need them. I wasn’t really comfortable about putting all my trust in machines but was willing to give it a shot.
Turned out it was good in theory, but it can sometimes backfire. Like when my phone charger conked off while I was traveling. If I knew my passwords like I once used to, I could have borrowed a phone for essential communication. I think I did have an option of accessing my password manager online or on public WiFi, but that wasn’t a risk I wished to take. I ended up buying whatever unbranded charger was available in that remote place, and hoping it wouldn’t fry my phone before I got home.
After that incident, I took back control of my passwords, and can now access all my key accounts without the help of my digital assistants. I must admit I’m not one of those guys with a photographic memory. My system only works because I have just a handful of accounts that I rate as key accounts. There’s no way I can memorize and recall more than half a dozen passwords.
Anyway, for unimportant websites or whatever, I will let my iPhone handle the password management. But for more important accounts, though I still depend on my password manager to store all my passwords, I don’t let it create passwords anymore. I do that myself.
Here’s the technique I use to make sure these self-created passwords are hard to crack but easy to recall.
Finding a catchy phrase
I start with a phrase that’s easy to recall. Next, I change it slightly to make it nonsensical and end by encrypting it. The final password has to meet the typical password requirements. At least eight characters: with one being in uppercase, one in lowercase, one is a number, and one a symbol.
Anyway, I have recently been getting an overdose of this annoying ad jingle repeatedly playing on the kids’ TV channel in India. It ends up with a ditty that goes like ‘Mamy Poko Pants.’ Though it was an irritant, it was also catchy. So I knew it would be easy to recall. However, if I used that phrase as it is, even Google would be able complete the phrase before I finished typing it.
Making it make sense only to me
As I mulled over what to change it to, an old Hindi song popped up on my phone’s playlist. The song was called ‘Pappu can’t dance, sala.’
Hmm, ‘dance’ rhymed with ‘pants’ so it could replace pants. My kid dances well. Her mother doesn’t. Mamma, mummy, mammy… Mamy can’t dance.
Good recall value, but it didn’t have the rhythm of ‘Mamy Poko Pants.’
Mamy don’t dance. Still not working. The tune sounds closer to ‘Pappu can’t dance.’
Wait a minute, the word for ‘don’t’ in one of the Indian languages is ‘noko,’ a word that rhymes with poko. So we have Mamy Noko Dance.
Sounds good. It syncs perfectly with Mamy Poko Pants. No hacker is going to dream that I used a Marathi word for ‘don’t.’ Better still, it’s grammatically wrong in Marathi, as the correct usage would be ‘Mamy Dance Noko.’ At least, I think so because I don’t really know Marathi, which is again good!
If I can visualise it, I can recall it
The key factor is this password is easy to recall. I have to just picture my wife dancing, and I have a perfect reference photo to that in my mind.
So ‘Mamy Noko Dance’ is our phrase.
Now we need an encryption code. This has to bring in numbers and symbols. We already have alphabets in upper and lower case.
Amateur coder day: numbers
What I’m going to do is substitute a few characters in my phrase with numbers and symbols set to an encryption rule. As I’m creating this rule, only I will know it.
I consider a number rule that replaces the first letter of every word with its number equivalent from my alphabet code key. This would be the unique sentence with all 26 alphabets, ‘The quick brown fox jumped over the lazy brown cow.’ (T is 1, h is 2 , etc). But it means I lose all my capital letters.
How about if I change only the first word? So ‘Mamy Noko Dance’ becomes ‘19amy Noko Dance.’ I think I can live with that.
Now all that’s missing are symbols.
Amateur coder day: symbols
My symbol rule could be all spaces replaced with symbols in some sequence. The keyboard sequence on the Macbook I’m typing on is ~!@#$%^&*.
I have a feeling that ‘~’ is not present on all keyboards, and may not be accepted. So let’s stick with !@#$%^&*.
Since we have only two spaces, our password becomes 19amy!Noko@Dance.
Amateur coder day: tester
Let’s evaluate it. The disadvantage is the password is not as strong as one generated by a password generator. The advantage is it’s still good enough to be rated as ‘very strong’ by any password analyser. But for me, the real plus is it’s possible for me to actually recall this from memory if I follow my rules.
Let me try.
However, it’s not advisable to use one password across all my important accounts. And some sites also insist I change my password periodically.
Life is complicated
This complicates things but again, it’s something I have to live with.
What I can do is have versions of that password running across all accounts. Version 1 uses ! and @ as the symbols. Version 2 uses @ and #. Version 3 uses # and $. Like if I have three email IDs, I grade them as 1,2 and 3, and use those three passwords. After six months, I switch passwords, with version 1 going to email 2, version 2 going to email 3, and version 3 going to email 1.
Every year, I change my catchphrase, and create a new set of passwords for the year.
I have been using a similar system for a few years now, and I haven’t yet been hacked. I do admit that I have sometimes been confused between which of my important accounts was using which version of my password. So I have had to go back to my password manager for help. That only proves it’s good.
Anyway, if like me, you are not comfortable with putting all your passwords in one basket and relying on machines, you can try doing something similar.